The California Attorney General's office has made mobile app investigations a top priority for 2023, specifically targeting the retail, travel, and food service industries. The expiration of the 30-day cure period means companies will no longer have a chance to rectify compliance issues before facing penalties. It is important for organizations to take privacy enforcement seriously and proactively address any gaps. The focus of the investigations is on consumer choice, particularly whether companies offer opt-out options, mechanisms to stop data sale, and proper response to opt-out requests.

‍

The need for regulations to protect children online has become a widely acknowledged concern among policymakers, consumers, technologists, and regulators. Both the UK and California have recognized the lack of child-centric design in the internet and have introduced codes and regulations to address this issue.

The focus of these regulations is on online service providers that are likely to be accessed by children. Both the UK and California codes define this as any online service directed at children under 18, those that appeal to children, or those that are used significantly by children. These codes aim to ensure that online services take appropriate measures to protect the privacy and well-being of young users.

The final passage of Assembly Bill 2273, also known as the California Age-Appropriate Design Code Act, has generated mixed reviews. While the U.S. Congress has yet to finalize regulations for children's online privacy and content moderation, the California Legislature has taken the initiative to address these concerns.

The bill, which has unanimously passed both the State Assembly and Senate, is currently awaiting enactment by Governor Gavin Newsom. It aims to enhance online safety by introducing unique privacy requirements specifically designed to protect minors aged 17 and under. If the bill is enacted, it will come into effect on July 1, 2024.

The work of the California Privacy Protection Agency, established under the California Privacy Rights Act, has made progress. On October 4, it appointed Ashkan Soltani as its Executive Director and was in the process of hiring a general counsel and deputy director of administration. The agency has also been actively engaged in its rulemaking responsibilities, undertaking preliminary rulemaking activities to determine suitable new regulations or amendments. However, meeting the July 1, 2022 statutory deadline for adopting final CPRA regulations had a significant challenge due to the extensive scope and complexity of the areas to be regulated and the limited resources of the newly formed agency. Despite these obstacles, the California Privacy Protection Agency is working diligently to shape its framework and fulfill its mandate of protecting privacy rights in the state.

California Attorney General Rob Bonta has released guidance aimed at ensuring that health care facilities and providers are aware of their compliance obligations regarding state and federal health data privacy laws. The attorney general's bulletin, which was sent to stakeholder organizations, emphasizes the requirement for notifying the California Department of Justice in the event of a breach involving the health data of more than 500 state residents. This guidance serves as a reminder for health care entities to stay vigilant and take the necessary steps to protect the privacy of individuals' health information. By adhering to these obligations, health care facilities and providers can uphold their legal responsibilities and maintain the trust and confidence of their patients and the public.

The California Attorney General's Office has made a significant update to its frequently asked questions page on the California Consumer Privacy Act (CCPA) that could have far-reaching implications. The update specifically addresses the Global Privacy Control (GPC), a browser extension that enables users to automatically exercise their right to opt out of the sale of their personal information. According to the attorney general's CCPA FAQ page, covered businesses are now required to honor the GPC as a valid consumer request to stop the sale of personal information. This decision not only impacts how do-not-sell requests are handled in California but also has implications for current and future privacy laws in other U.S. states.  

Learn More

According to The Mercury News, the digital Immunization Information System maintained by the California Public Department of Health is storing COVID-19 vaccination records of residents, giving rise to privacy concerns. Privacy advocates argue that existing regulations fail to adequately safeguard vaccine data against potential leaks or sale on data markets. They also express worry about the weakening of confidentiality laws and the integrity of vaccine verification systems. Pam Dixon, the Executive Director of the World Privacy Forum, cautions against hasty implementation of vaccine credentialing systems, emphasizing the need to carefully assess and ensure that any such systems do not lead to future regrets. The concerns surrounding the privacy of vaccination records highlight the importance of robust privacy safeguards and thoughtful approaches to handling sensitive health data.

‍

According to the Electronic Frontier Foundation (EFF) report, there is a significant level of vehicle surveillance in California. The report is based on extensive data and multiple requests made under the California Public Records Act. It highlights that numerous agencies in the state collected an enormous volume of automated license plate reader scans, surpassing one billion in 2019 alone. Surprisingly, only 0.1% of this data was actively associated with ongoing investigations. The EFF emphasizes the creation of "hot lists" for license plates, resulting in the storage of vast amounts of data unrelated to these lists. According to the EFF, this practice constitutes a serious infringement on privacy rights, representing a fundamental violation. The report sheds light on the magnitude of vehicle surveillance activities and raises concerns regarding the protection of individuals' privacy in California.

The appointments to the California Privacy Protection Agency (CPPA) board have sparked curiosity about the agency's enforcement priorities and strategy. The recently announced inaugural board members offer some insights into their approach. Jennifer Urban, a Clinical Professor of Law at the University of California, Berkeley, were selected as the CPPA chair. Other board members include John Thompson, Senior Vice President of Government Relations at LA 2028, Angela Sierra, Chief Assistant Attorney General of the Public Rights in California, Lydia de la Torre, an attorney at Squire Patton Boggs and member of the IAPP, and Vinhcent Le, an attorney at the Greenlining Institute. These appointments indicate a diverse range of expertise and perspectives within the CPPA, highlighting their commitment to effective privacy regulation in California.